From 8cbdfdd086e84f7d45a7c25e992f4024eca13dee Mon Sep 17 00:00:00 2001 From: Valswyn-NHS Date: Mon, 8 Sep 2025 11:50:50 +0100 Subject: [PATCH 01/11] APIM-6390-modified SBOM implementation --- .github/workflows/sbom.yml | 57 ++++++++------------------------------ scripts/create-sbom.sh | 19 ------------- scripts/update-sbom.py | 21 -------------- 3 files changed, 12 insertions(+), 85 deletions(-) delete mode 100644 scripts/create-sbom.sh delete mode 100644 scripts/update-sbom.py diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 670731dfd..471ac39b4 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -10,63 +10,30 @@ on: options: - yes - no - -env: - SYFT_VERSION: "1.27.1" - TF_VERSION: "1.12.2" + default: yes jobs: deploy: + if: ${{ github.event.inputs.environment == 'yes' }} name: Software Bill of Materials runs-on: ubuntu-latest permissions: actions: read contents: write - steps: - - name: Checkout - uses: actions/checkout@v5 - - - name: Setup Python 3.13 - uses: actions/setup-python@v5 - with: - python-version: "3.13" - - name: Setup Terraform - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: ${{ env.TF_VERSION }} + steps: + - name: Checkout repository + uses: actions/checkout@v5 - - uses: terraform-linters/setup-tflint@v5 - name: Setup TFLint + - name: Generate SBOM + uses: anchore/sbom-action@v0 with: - tflint_version: v0.58.0 - - - name: Set architecture variable - id: os-arch - run: | - case "${{ runner.arch }}" in - X64) ARCH="amd64" ;; - ARM64) ARCH="arm64" ;; - esac - echo "arch=${ARCH}" >> $GITHUB_OUTPUT - - - name: Download and setup Syft - run: | - DOWNLOAD_URL="https://github.com/anchore/syft/releases/download/v${{ env.SYFT_VERSION }}/syft_${{ env.SYFT_VERSION }}_linux_${{ steps.os-arch.outputs.arch }}.tar.gz" - echo "Downloading: ${DOWNLOAD_URL}" - - curl -L -o syft.tar.gz "${DOWNLOAD_URL}" - tar -xzf syft.tar.gz - chmod +x syft - - # Add to PATH for subsequent steps - echo "$(pwd)" >> $GITHUB_PATH - - - name: Create SBOM - run: bash scripts/create-sbom.sh terraform python tflint + path: ./ + format: cyclonedx-json + artifact-name: sbom-repo.cdx.json - - name: Upload SBOM as artifact + - name: Upload SBOM artifact uses: actions/upload-artifact@v4 with: name: sbom - path: sbom.json \ No newline at end of file + path: sbom-repo.cdx.json diff --git a/scripts/create-sbom.sh b/scripts/create-sbom.sh deleted file mode 100644 index 44ff0311e..000000000 --- a/scripts/create-sbom.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash -set -euo pipefail -IFS=$'\n\t' - -REPO_ROOT=$(git rev-parse --show-toplevel) - -# Generate SBOM for current directory -syft -o spdx-json . > "$REPO_ROOT/sbom.json" - -# Generate and merge SBOMs for each tool passed as argument -for tool in "$@"; do - echo "Creating SBOM for $tool and merging" - tool_path=$(command -v "$tool") - if [[ -z "$tool_path" ]]; then - echo "Warning: '$tool' not found in PATH. Skipping." >&2 - continue - fi - syft -q -o spdx-json "$tool_path" | python "$REPO_ROOT/scripts/update-sbom.py" -done \ No newline at end of file diff --git a/scripts/update-sbom.py b/scripts/update-sbom.py deleted file mode 100644 index 31042d178..000000000 --- a/scripts/update-sbom.py +++ /dev/null @@ -1,21 +0,0 @@ -import json -import sys -from pathlib import Path - - -def main() -> None: - with Path("sbom.json").open("r") as f: - sbom = json.load(f) - - tool = json.loads(sys.stdin.read()) - - sbom.setdefault("packages", []).extend(tool.setdefault("packages", [])) - sbom.setdefault("files", []).extend(tool.setdefault("files", [])) - sbom.setdefault("relationships", []).extend(tool.setdefault("relationships", [])) - - with Path("sbom.json").open("w") as f: - json.dump(sbom, f) - - -if __name__ == "__main__": - main() From ce3034964f3d69baee03005658fd6b1cadaa43da Mon Sep 17 00:00:00 2001 From: Valswyn-NHS Date: Mon, 8 Sep 2025 12:02:32 +0100 Subject: [PATCH 02/11] Correcting options --- .github/workflows/sbom.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 471ac39b4..df82f20d1 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -8,9 +8,9 @@ on: required: true type: choice options: - - yes - - no - default: yes + - "yes" + - "no" + default: "yes" jobs: deploy: From 2173eb820804f6a4c2a4bcb04da43a4797cc0720 Mon Sep 17 00:00:00 2001 From: Valswyn-NHS Date: Mon, 8 Sep 2025 12:09:35 +0100 Subject: [PATCH 03/11] Correcting workflow --- .github/workflows/sbom.yml | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index df82f20d1..f77f3f5de 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -4,17 +4,17 @@ on: workflow_dispatch: inputs: environment: - description: "Run SBOM check" + description: "Apply SBOM check" required: true type: choice options: - - "yes" - - "no" - default: "yes" + - apply + - skip + default: apply jobs: - deploy: - if: ${{ github.event.inputs.environment == 'yes' }} + sbom-check: + if: ${{ github.event.inputs.environment == 'apply' }} name: Software Bill of Materials runs-on: ubuntu-latest permissions: @@ -26,7 +26,7 @@ jobs: uses: actions/checkout@v5 - name: Generate SBOM - uses: anchore/sbom-action@v0 + uses: anchore/sbom-action@v0.9.0 with: path: ./ format: cyclonedx-json @@ -35,5 +35,8 @@ jobs: - name: Upload SBOM artifact uses: actions/upload-artifact@v4 with: - name: sbom + name: sbom-${{ github.run_id }} path: sbom-repo.cdx.json + + - name: Clean up SBOM file + run: rm sbom-repo.cdx.json From 9b22f474c6cb19d3a714637908423c3740ea548a Mon Sep 17 00:00:00 2001 From: Valswyn-NHS Date: Mon, 8 Sep 2025 12:25:26 +0100 Subject: [PATCH 04/11] Correcting name --- .github/workflows/sbom.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index f77f3f5de..755e1482a 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -30,13 +30,13 @@ jobs: with: path: ./ format: cyclonedx-json - artifact-name: sbom-repo.cdx.json + artifact-name: sbom.json - name: Upload SBOM artifact uses: actions/upload-artifact@v4 with: name: sbom-${{ github.run_id }} - path: sbom-repo.cdx.json + path: sbom.json - name: Clean up SBOM file - run: rm sbom-repo.cdx.json + run: rm sbom.json From 86766f1a19954dd5f53058cf3fad328212e3aed2 Mon Sep 17 00:00:00 2001 From: Valswyn-NHS Date: Mon, 8 Sep 2025 12:38:01 +0100 Subject: [PATCH 05/11] Set upload-artifact to true --- .github/workflows/sbom.yml | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 755e1482a..11bf4f69b 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -30,13 +30,7 @@ jobs: with: path: ./ format: cyclonedx-json - artifact-name: sbom.json + artifact-name: sbom-repo.cdx.json + upload-artifact: true - - name: Upload SBOM artifact - uses: actions/upload-artifact@v4 - with: - name: sbom-${{ github.run_id }} - path: sbom.json - - name: Clean up SBOM file - run: rm sbom.json From 62e240464bf0e439ba5552ee6a7cdead90a49516 Mon Sep 17 00:00:00 2001 From: Valswyn-NHS Date: Mon, 8 Sep 2025 12:45:25 +0100 Subject: [PATCH 06/11] Setting secret token --- .github/workflows/sbom.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 11bf4f69b..98f44f8f0 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -32,5 +32,6 @@ jobs: format: cyclonedx-json artifact-name: sbom-repo.cdx.json upload-artifact: true + github-token: ${{ secrets.GITHUB_TOKEN }} From 1e1f50fc3c976fb2d5cc977b32c669ee53874697 Mon Sep 17 00:00:00 2001 From: Valswyn-NHS Date: Mon, 8 Sep 2025 12:52:55 +0100 Subject: [PATCH 07/11] Setting proper artifact name --- .github/workflows/sbom.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 98f44f8f0..25d7e97de 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -26,11 +26,11 @@ jobs: uses: actions/checkout@v5 - name: Generate SBOM - uses: anchore/sbom-action@v0.9.0 + uses: anchore/sbom-action@v0 with: path: ./ format: cyclonedx-json - artifact-name: sbom-repo.cdx.json + artifact-name: identity-repo-sbom.cdx.json upload-artifact: true github-token: ${{ secrets.GITHUB_TOKEN }} From 4044afc9180e783a9127fffe6e324bdf3289b8af Mon Sep 17 00:00:00 2001 From: Valswyn-NHS Date: Mon, 8 Sep 2025 12:57:22 +0100 Subject: [PATCH 08/11] Few modifications to workflow --- .github/workflows/sbom.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 25d7e97de..b476107b0 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -31,7 +31,13 @@ jobs: path: ./ format: cyclonedx-json artifact-name: identity-repo-sbom.cdx.json - upload-artifact: true - github-token: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SBOM artifact + uses: actions/upload-artifact@v4 + with: + name: sbom-action-${{ github.run_id }} + path: identity-repo-sbom.cdx.json + - name: Clean up SBOM file + run: rm identity-repo-sbom.cdx.json From 348b979c77b00e17afefffd5d279c0d9cf84d4ce Mon Sep 17 00:00:00 2001 From: Valswyn-NHS Date: Mon, 8 Sep 2025 13:02:44 +0100 Subject: [PATCH 09/11] Few modifications to file path --- .github/workflows/sbom.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index b476107b0..adb74c760 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -36,8 +36,9 @@ jobs: uses: actions/upload-artifact@v4 with: name: sbom-action-${{ github.run_id }} - path: identity-repo-sbom.cdx.json + path: /tmp/sbom-action-*/identity-repo-sbom.cdx.json + if-no-files-found: warn - name: Clean up SBOM file - run: rm identity-repo-sbom.cdx.json + run: rm /tmp/sbom-action-*/identity-repo-sbom.cdx.json || true From 488012b703a4cf16b0c7b2cbb37fd0ba0487c04a Mon Sep 17 00:00:00 2001 From: Valswyn-NHS Date: Mon, 8 Sep 2025 14:36:50 +0100 Subject: [PATCH 10/11] Building repo before running sbom check --- .github/workflows/sbom.yml | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index adb74c760..31cd231d0 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -25,6 +25,44 @@ jobs: - name: Checkout repository uses: actions/checkout@v5 + - name: Install Python 3.9 + uses: actions/setup-python@v5 + with: + python-version: 3.9 + + - name: Update apt repositories + run: sudo apt update + + - name: Install Java + run: sudo apt-get install --yes default-jre default-jdk + + - name: Install node + run: | + wget -q -O - https://dl.google.com/linux/linux_signing_key.pub | sudo apt-key add - + curl -sL https://deb.nodesource.com/setup_14.x | sudo -E bash - + sudo apt-get install -y nodejs + + - name: Upgrade python packaging tools + run: python -m pip install --upgrade pip setuptools wheel + + - name: Install poetry + run: pip install "poetry<2.0.0" + + - name: Cache poetry packages + uses: actions/cache@v4 + with: + path: ~/.cache/pypoetry + key: ${{ runner.os }}-build-cache-poetry-packages-${{ hashFiles('**/poetry.lock') }} + + - name: Cache node modules + uses: actions/cache@v4 + with: + path: ~/.npm + key: ${{ runner.os }}-build-cache-npm-packages-${{ hashFiles('**/package-lock.json') }} + + - name: Install repo + run: make install + - name: Generate SBOM uses: anchore/sbom-action@v0 with: From 1ef4b6917757252ecc826e24cf473607849320e4 Mon Sep 17 00:00:00 2001 From: Valswyn-NHS Date: Mon, 8 Sep 2025 14:43:13 +0100 Subject: [PATCH 11/11] Upgarded node version --- .github/workflows/sbom.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 31cd231d0..ab6bcd37f 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -39,7 +39,7 @@ jobs: - name: Install node run: | wget -q -O - https://dl.google.com/linux/linux_signing_key.pub | sudo apt-key add - - curl -sL https://deb.nodesource.com/setup_14.x | sudo -E bash - + curl -sL https://deb.nodesource.com/setup_18.x | sudo -E bash - sudo apt-get install -y nodejs - name: Upgrade python packaging tools